DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www.dealerbid.co.uk and mail.dealerbid.co.uk. The email is sent to an address ONLY used to register at dealerbid.co.uk. So, the upshot is that this domain is compromised and it is compromised right now.

The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text, starting thus:

UEsDBBQAAAAIAGiQJENXc/

KQmRoAACj9AQANAAAAUXVvdGF0aW9uLnZic+1dS3PcOJK+K0L/QeHD

Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs with a low VirusTotal detection rate of 4/46.

I really don't know a lot about VBScript, but it's an interpreted language (like Javascript), so with some care you can get it do decode itself for you. The payload of the scripts was delivered by a line

execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin)

Changing "execute" to a a series of commands to write a file out.txt can get the script to decode itself and present the deobfuscated code for you.

Obviously, great care should be taken to do this and a throwaway virtual machine is advised in case of errors.

I haven't had time to do much analysis of the malicious script, except that it attempts to download further components from klonkino.no-ip.org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip.org domains in any case, but I certainly recommend the following blocklist:

klonkino.no-ip.org

146.185.24.207

I haven't had time to analyse the second script further, but it has a VirusTotal detection rate of 21/47 which isn't too bad. If you want to have a look yourself, you can download the script from here (zip file, password = virus).. but obviously you need to know what you are doing!